Verifying that a Nitrokey has not been compromised


#1

After receiving a Nitrokey Pro in the mail, how can I verify that it has not been tampered with? I have reason to believe that that could be the case, even though the packaging seemed to be intact, and the plastic bag the key was delivered in seemed OK.

I saw an earlier post on this forum, suggesting there is no easy way to do this yourself. If there is a way for NK to do it themselves, I’d be happy to send it back to NK. I’m not even going to demand a refund. I just want my curiosity satisfied.

Regards,
Elias


#2

I do not know how you received it and in which country you live. I bought a NKP very short time ago. I did not find the packaging safe any way. The key came in a “rip off” sack of PU plastic but you could take it without having to destroy the bag. It is actually closed just with a zip lock, so no security at all. Security would have been (to a minimum) a melted plastic that would destroy itself when opening. I consider my NKP compromised but for my purposes it is sufficient. I think if I want to have anything uncompromised, I would have to go to Berlin and take it directly out of the hands of the producer. Face to face. But you would still have to be sure you know who you are talking to. Otherwise, if you have a real problem with a “State”, well, they could do a MIM with some guy withdrawing under your name the key and meeting you to give you another one. Money for these people does not count. So if you send it back, what tells you that it would not be changed again against the original to make you think you are paranoid?
And if you think that last thought was paranoid, then think back to the DDR where the STASI came in the home of the people targeted, when they were at work, and they changed every day some of the dishes (but not all!) of place, in order to make the victim insecure and to doubt about his own rationality or health of mind.
Nowadays this function is taken by sold out journalists that come up with the “conspiracy theory dogma” that is, whatever is not the official view is paranoid and a conspiracy theory. :unicorn:

The nitrokey with storage has a firmware that can be checked. If you have this kind of problem I would rather avoid the NKP and choose the storage type, make sure to come to Berlin and take it up your self or have a person of secure trust doing it…but then, there are a lot of people that do not even trust their wife and again, back in the DDR it was not uncommon that parents betrayed their sons to the STASI.

What I would like for the Nitrokey makers would be a better packaging. A zip locker pack that can be traceless opened and closed is, honestly, sub standard. :scream:


#3

I was disappointed that there was no way to buy a Nitrokey in person in Berlin, even after contacting them. I was willing to go anywhere needed, etc, but sending it through the mail was the only way they would allow. It took a few days to mail the Nitrokey Pro from one Berlin address to another (suspicious?). Also disappointing that I needed to provide personal details (therefore associating myself with this device).

In the end, it arrived in a package that needed to be cut open with scissors (see photo). I was satisfied that a interception and replacement of this silver bag with Nitrokey sticker, etc was unlikely.

Sorry for the blurry photo, but hope it gets the point across:


#4

I think this is partly due to the producer feart they might be pinpointed by the very people you are afraid of.
I had the same packing. It is possible to open it flawlessly because it does not need to be opened by scissors You can open it problem free by hand and close it again without anything being visible. At least mine was packed like this. No thermical solder, no hologram.
My position to this is quite clear: OSS quite compromised (heardbleed was a bug? sure!). Router are. CSS is.
It is a product to protect you from scammers, spammers, and minor criminals. In no case it will protect you from a State institution.
That said, it is better with a hardware token than with a software solution. It ads complexity to an attack.
If you are really subject to “major interest” my advice would be to leave the “pyramid”. Or to accept that there is no “comfort zone”.
Sorry if this sounds cynical. Just my personal experience. Technically from the point of view of “ease of use” it is better then the cryto-stick. But probably being much more commercial than before (when it was a “niche” product, it is “less” safe when it comes to stochastic probability.

YMMV.


#5

Hello Elias,

as for now there is now way to verify the firmware of a NK Pro. As @solucion said, it is possible for NK Storage though. If you are not trusting the firmware of your key, you may can flash it yourself in future. On the github page we publish the firmware. I did not tried the short instruction on how to flash, so for now I can not say, if it works properly.

I try to came back here as soon as I tested the process!

Kind regards
Alex


#6

Assuming we would ship the devices in a welded zipper. An attacker would need to have the knowledge and capabilities to 1) develop a malicious firmware, 2) intercept the shipment (this may be the hardest part) and 3) open and close the plastic casing without traces (to program his malicious firmware). Do you think that a welded zipper which can be bought by anybody for a few cents would stop such attacker? I don’t think so. Quite the opposite: A welded zipper would be snake oil which give you a false feeling of security. A sealed packaging which provides real security is quite hard. However, we do consider using seals in the future but didn’t find a good solution yet.


#7

Jan, I accept that argument of course. And maybe it is snake oil with a welded zypper.

  • a first consideration: would hologram technology ad a bit of security?

  • the welded zypper may be more difficult to fake if you use a difficult to counterfeit label. That said, entities of that kind have access to nearly every technology and a lot of money. So if you are “desired” I would claim you are somewhat “burnt” anyway.

I think currently the transport is however the biggest problem of trust, together with the possibility to check the firmware.
As for the practical aspect i am very happy with what I see if I compare to the “stick 1.2”. Also for what is the integration for what it seems with kleopatra, kgpg, gpa etc.
In reality, one of the countermeasures would be to find a way to “massify” the Nitrokey with a commercial partner (with physical selling points). Nothing is so difficult to manipulate than a large quantity of anonymously sold articles.


#8

Hi,

it is a bit late (sorry for that), but I wanted to inform you, that it is not easily possible to flash the NK Pro yourself.

Kind regards
Alex


#9

I come quite late on this initial question, but with the latest Nitrokey app can one consider downloading the firmware from the key then comparing to the one on github, would be a reasonable way to check one’s firmware was not changed?
(I do not intend to do this, unless given simple instructions, but this may be the actual reason the firmware is now downloadable?)

  • quick and funny addition : I just tried this software export, entered my master PIN, and did get the message “exported” but… I don’t now where it was exported indeed!!

#10

Hi,

don’t you have the Storage? It is different for the Pro. Please look at the other post.

Kind regards
Alex